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CYBER PREPAREDNESS AND RESPONSE AT 
THE LOCAL LEVEL 


Thursday, April 7, 2016 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Sherman, TX. 

The subcommittee met, pursuant to call, at 11:09 a.m., in the 
Mabee Foundation Banquet Room, Wright Campus Center, Austin 
College, 1301 East Brockett, Sherman, Texas, Hon. John Ratcliffe 
[Chairman of the subcommittee] presiding. 

Present: Representative Ratclife. 

Also present: Representative Burgess. 

Mr. Ratcliffe. Good morning. The Committee on Homeland Se- 
curity, Subcommittee on Cybersecurity, Infrastructure Protection, 
and Security Technologies will come to order. 

The subcommittee is meeting today to learn how State and local 
officials prepare for, respond to, and investigate cyber incidents, 
and to learn about different cyber training opportunities for State 
and local officials to bolster our cyber preparedness and response. 

I appreciate the effort taken by everyone that is involved here to 
put together an important field hearing. I would like to start by 
thanking our friends here at Austin College for letting us hold this 
hearing today here at the Mabee Hall. 

This is an official Congressional hearing, as opposed to a town 
hall meeting, and, as such, there are certain rules of the Com- 
mittee on Homeland Security and the House of Representatives 
that we have to abide by. So for our guests here today, we can’t 
have demonstrations from the audience, including applause, verbal 
outbursts, the use of signs or placards. All those things, as fun as 
they may sound, are a violation of the rules of the House of Rep- 
resentatives. It is important that we do respect the decorum and 
rules of the committee, and I have also been requested to say that 
photography and cameras are limited to accredited press only and 
can’t be used for campaign or political purposes. 

As Americans become more aware every single day as they turn 
on their computers and their televisions, cyber threats are expo- 
nentially increasing. They come from criminal organizations, nation 
states like China, Russia, and Iran, and even terrorist groups like 
ISIS. These attackers don’t only target Federal networks, big 
banks, and National retail chains. They also hit towns and families 
and local businesses. So there is a great need to address cybersecu- 
rity at the State and local level. 


( 1 ) 
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From emergency response centers, Department of Motor Vehicle 
offices, to courthouses and our critical infrastructure, the exploit- 
able vulnerabilities and possible consequences for public safety are 
alarming. On the law enforcement side, FBI Director Jim Comey 
recently testified that an element of virtually every National secu- 
rity threat and crime problem that the FBI faces is cyber-based or 
facilitated. It is incredible that Federal law enforcement is seeing 
a cyber element to almost every single crime. 

Because society is increasingly connected, we can be certain that 
our State and local law enforcement are seeing the same trend, ar- 
guably with even fewer tools to address it. It no longer takes a so- 
phisticated cyber criminal to compromise sensitive information 
from companies and from everyday Americans, and law enforce- 
ment is seeing a cyber element to almost every crime. It is vital 
that State and local law enforcement, the prosecutors and judges 
all be properly trained to respond to cyber crime and to protect the 
American people. 

We have recently seen a flurry of ransomware attacks against 
hospitals, including at least one located here in the 4th Congres- 
sional District of Texas, where patients’ personal medical data is 
encrypted and held hostage until the hospital pays a ransom to get 
it back. As reports indicate, cyber attacks against emergency work- 
ers are spiking and will continue to rise. 

We all recognize that interconnectivity and automation increase 
convenience and improve responses. Emergency services are just 
one area where automation and interconnectivity provide clear ben- 
efits to us all. But while these technologies increase efficiency and 
cut costs, they do present new risks that, if exploited, could bring 
vital emergency services and our critical infrastructure to a halt. 

Regardless of the magnitude of a natural or man-made disaster, 
first responders — firemen, police, paramedics, and National 
Guardsmen — are the ones, the first ones that are on the scene. 
Their ability to communicate and to execute key command-and-con- 
trol responsibilities during an incident often depends entirely on 
internet-enabled technologies. 

As we examine cyber preparedness and response at the State and 
local level, I am pleased that we are joined by a number of distin- 
guished witnesses this morning who are at the tip of the spear in 
this effort. I look forward to hearing about how they are preparing 
for, responding to, and mitigating and investigating the threats 
that we face right now in cyber space. 

I am also pleased that this hearing is taking place not in the 
halls of Congress today but right here in the 4th Congressional 
District of Texas, the first-ever Congressional hearing here in 
Grayson County. The police, prosecutors, judges, paramedics, and 
firefighters, they all need the appropriate tools and training to re- 
spond to the increasing threats that we face, and to make sure that 
they are fully equipped, we need to hear directly from them. The 
best solutions, believe it or not, don’t usually come from Wash- 
ington, DC. People often hear me say that governing is a team 
sport, and I think that today’s hearing and the location of today’s 
hearing hopefully reinforces that fact. 

As Chairman of this subcommittee, I have been closely exam- 
ining these challenges. I will continue to lead efforts in Congress 
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to strengthen our Nation’s cyber defenses and provide for the com- 
mon defense against these National security threats. 

Last fall, I authored and moved legislation to strengthen State 
and local cyber crime-fighting efforts. Specifically, the legislation 
would support the National Computer Forensics Institute, or NCFI, 
which is run by the United States Secret Service, and provides 
greatly-needed cyberforensics training to State and local law en- 
forcement across the country, including those right here in Texas’ 
4th District. In fact, we are pleased today that one of our wit- 
nesses, former Greenville Detective Don Waddle, was trained at 
the NCFI. 

Today I hope this subcommittee will learn more about how first 
responders here in Texas are being trained to address cyber inci- 
dents, how first responders are preparing for and responding to 
cyber incidents, and how local law enforcement officials are being 
trained in computer forensics. 

This hearing will provide needed background to further reinforce 
the subcommittee’s efforts regarding cyber training and workforce 
needs at the State and local level. Cybersecurity is a shared re- 
sponsibility, including all levels of government and the private sec- 
tor. 

While much has been done to improve our Nation’s cybersecurity, 
there are a number of challenges that remain. I look forward to 
hearing from our witnesses today as we consider ways to address 
those challenges. 

My good friend, Mr. Burgess of Texas, is here today, and I ask 
unanimous consent for him to be permitted to sit and participate 
in today’s hearing. 

Without objection, so ordered. 

Other committee Members are reminded that opening statements 
may be submitted for the record. 

Before I introduce the distinguished panel of witnesses before us 
on this important topic today, again I would like to thank a num- 
ber of folks that are here. 

I mentioned Austin College President Hass, for always being a 
hospitable host to us. 

We have a number of law enforcement folks that are here today 
that are not testifying. 

Lieutenant McGreevy from Sherman Police Department. 

From Denison Police Department we have Assistant Chief Joe 
Clapp, Assistant Chief Don Maury, Paris Fire Chief Larry Wright, 
and Assistant Chief Thomas McGonagall. 

Constable Bob Douglas from Grayson County; Commissioner Jeff 
Whitmeyer from Grayson County; Dan Sharp from the Denison IT 
department; Tom Watt, a Grayson County sheriff-elect. 

We have Rita Knowles, justice of the peace, who is here, Tammy 
Johnson from the Sherman City Council, Kevin Couch from the 
Sherman City Council, Reggie Smith, esteemed local activist. 

We have assistant chief of the Sherman Police Department, Lieu- 
tenant John Henneberg, here. I would also like to welcome Terra 
Petty and Daryl Birkland from Wilson and Jones IT department. 

I am sure I am leaving some others out and I apologize, but I 
am trying to recognize everyone who has taken the time to be here, 
including a number of students here from Austin College. Welcome. 
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Thank you for being a hospitable host to us. I would say that I 
have been the beneficiary personally of a number of Austin College 
students who have interned in my Congressional office, and a num- 
ber of them are here today. Thank you for coming back. It is great 
to see you all again. 

With that, I would like to recognize our distinguished panel of 
testifying witnesses this morning. 

We have with us Mr. A1 Davis, who is the deputy director and 
chief operations officer at Texas A&M Engineering Extension Serv- 
ice. Welcome, Mr. Davis. 

Mr. Davis. Thank you, sir. 

Mr. Ratcliffe. We have Mr. Sam Greif, the chief of the Plano 
Fire-Rescue Fire Department, who is testifying on behalf of the 
International Association of Fire Chiefs. Welcome, Chief. 

Mr. Greif. Thank you, sir. 

Mr. Ratcliffe. We have Mr. Richard Wilson, who is a lieutenant 
with the Dallas Police Department. Welcome, lieutenant. 

Last but not least, we have now-retired Detective Don Waddle 
from the Greenville Police Department. 

Mr. Waddle. Thank you, sir. 

Mr. Ratcliffe. Very good. All right. 

With that, I would like to ask the witnesses to stand so that I 
can administer an oath. 

[Witnesses sworn.] 

Mr. Ratcliffe. Let the record reflect that the witnesses have an- 
swered in the affirmative. 

The witnesses’ full written statements will appear in the record. 

You may be seated. 

The Chair now recognizes Mr. Davis for 5 minutes for his open- 
ing statement. 

STATEMENT OF ALPHONSE DAVIS, DEPUTY DIRECTOR/CHIEF 

OPERATIONS OFFICER, TEXAS A&M ENGINEERING EXTEN- 
SION SERVICE 

Mr. Davis. Thank you very much, Mr. Ratcliffe. I would like to 
thank you and also Mr. Burgess and other Members of the sub- 
committee. It is an honor to appear here before you on behalf of 
our agency, the Texas A&M Engineering Extension Service, to dis- 
cuss cyber preparedness and response at the local level. 

I will start by telling you just a little bit about TEEX. We are 
affectionately known as TEEX to those that we train and that we 
partner with. We began training in 1930. The impact is at the 
local. State, and National, and global levels. We cover training and 
technical assistance across the entire homeland security enterprise 
domain to include cybersecurity, and an important part of our mis- 
sion and our role is our extension service, we are proud to say, to 
the great State of Texas. 

Our relationships. First of all, we have relationships with re- 
sponders across all disciplines, all 16 disciplines, at the State and 
local levels. With DHS/FEMA, we have relationships not only with 
the National training and education division but with CS&C, Cy- 
bersecurity and Communications, who we dialogue with. We also 
dialogue with the Infrastructure Protection Directorate, Personal 
Protection Directorate, and the Office of Bombing Prevention. 
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We also have consortium memberships, first of all, since 1998, 
with the National Domestic Preparedness Consortium, with the 
National Cybersecurity Preparedness Consortium, and we are also 
a member of the Forensics Consortium. Those memberships help us 
to address cybersecurity across a number of areas. 

Our role in addressing the cybersecurity challenge began in 2010 
when DHS/FEMA asked us to take on some training that was pre- 
viously done on a competitive training grant. We have also linked 
cybersecurity to emergency planning and response, and we think 
that is very, very important. 

Why we think it is important: I think the police chiefs and fire 
chiefs would agree, we used to think about cybersecurity on the left 
hand and emergency planning and response on the right hand, and 
they should be thought about together, because if the emergency 
response planner or manager thinks that they can really put off a 
plan or respond without cyber intrusion, that is not accurate. That 
is really not accurate because of those reasons you stated, sir. 

We have done some pioneering efforts also, and what I mean by 
that is when we visit a lot with our partners at DHS/FEMA, we 
didn’t visit in silos. We thought there was a need to bring them to- 
gether, and we are proud to say that we did, in fact, bring those 
different entities together to actually develop further training. So 
again, we were pioneers in that effort. 

We also at TEEX, through cybersecurity technical assistance and 
vulnerability assessments — that is very important, we do that not 
only with some universities, but we have been doing that with 
some communities. We have done some training also, assessments 
that is, in Congress, and Texas also, sir. 

As far as our products go — and that is our training courses — this 
focuses also on training, and I will refer to something we sub- 
mitted, our statement. We had 5 instructor-led courses. Four deal 
with cyber and incident management, and it comes from the com- 
munity level, the Essentials of Community Cybersecurity, Commu- 
nity Preparedness, and Community Cybersecurity Exercise Plan- 
ning. 

We also have 10 on-line courses that are provided at no cost to 
individuals, designed for 3 levels of students, including the general 
user, which is very important — ^you addressed that, sir — the infor- 
mation technology staff and specialists, and for business managers 
also. So again, that training is, at no cost, available to the general 
public. 

As far as our results, over the last 5 years TEEX has provided 
cybersecurity training for students and participants in 40 States 
and 5 territories, reaching a total of 32,900 training instances, and 
we think that is very, very important. 

As we move forward, sir, we will continue to work closely with 
States and local communities in identifying their needs and sup- 
porting their efforts. States have reported, through the National 
Preparedness Reports beginning in 2012, that cybersecurity is a 
key National area of improvement and concern, and it is listed as 
a top priority in the 2014 and 2015 National Preparedness Report. 

So again, we are very, very pleased to be here. We have sub- 
mitted a statement in more detail, and I will be willing, sir, when 
appropriate, to take your questions that you may have. 
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[The prepared statement of Mr. Davis follows:] 

Prepared Statement of Alphonse Davis 
April 7, 2016 

Chairman Ratcliffe, and other distinguished Members of the subcommittee, it is 
an honor to appear before you today on behalf of the Texas A&M Engineering Ex- 
tension Service (TEEX) to discuss cyber preparedness and response at the local 
level. 


HISTORY OF TEEX EMERGENCY MANAGEMENT TRAINING PROGRAM 

TEEX, a State of Texas agency and member of the Texas A&M University System 
(TAMUS), began training State and local responders in 1930, and today trains over 
170,000 annually from across the world. In 1998, TEEX became a founding member 
of the National Domestic Preparedness Consortium (NDPC). The NDPC is a part- 
nership of 7 universities and organizations that are the primary means through 
which the Department of Homeland Security/Federal Emergency Management 
Agency’s (DHS/FEMA) National Training and Education Division (NTED) provides 
training to State, local. Tribal, and territorial responders and communities in sup- 
port of PPD-8 — National Preparedness. The NDPC is Congressionally-authorized 
and annually appropriated funding through the Homeland Security National Train- 
ing Program to develop and deliver training for the Nation’s emergency first re- 
sponders within the context of all hazards; including chemical, biological, radio- 
logical, and explosive Weapons of Mass Destruction (WMD) hazards. To date the 
NDPC has trained over 2.4 million, more than 540,000 of which were trained by 
TEEX. 

This long-term relationship with State and local level emergency managers, re- 
sponders, and leaders, and infrastructure/industrial partners, along with more than 
20 years of experience in workforce and software development, prepared TEEX to 
provide training on preparedness and response for cyber incidents or attacks. In to- 
day’s connected world cyber refers to anything that contains, is connected to, or is 
controlled by computers and computer networks. 

BEGINNING OF TEEX CYBER TRAINING PROGRAM 

In 2010, at the request of FEMA, TEEX began training State and local commu- 
nities in cybersecurity awareness, specifically where local communities and respond- 
ers need to collaborate with their critical infrastructure partners in planning for and 
responding to a possible cyber attack or incident. TEEX launched this effort within 
their existing HSNTP funding (then fiscal year 2009 — $22,344,500) by continuing 
the delivery and maintenance of cyber courses originally developed under FEMA 
Continuing Training Grants and awarded to other universities. 

At the National level, the need for an increase in cybersecurity awareness and the 
ability to collaboratively plan with critical infrastructure partners was highlighted 
through PPD-21 — Critical Infrastructure Security and Resilience and EO-13636 — 
Executive Order Cybersecurity/Presidential Policy Directive on Critical Infrastruc- 
ture Security and Resilience. TEEX responded to the growing need by expanding the 
cyber training program and leveraging the partnerships with the DHS Office of In- 
frastructure Protection (IP) and the DHS Office of Cybersecurity and Communica- 
tions (CS&C). TEEX had previously developed 2 courses on the protection of critical 
infrastructure with DHS/IP and was asked to develop a third, which specifically-fo- 
cused on the challenges of both physical and cybersecurity on critical infrastructure, 
with DHS/IP and DHS/CS&C. 

CURRENT TEEX TRAINING AND ASSESSMENT PROGRAMS 

TEEX trains students through the DHS/FEMA HSNTP, offered at no cost to 
State, local. Tribal, and territorial communities, and includes: 

• 5 instructor-led courses that are delivered across the country and the U.S. terri- 
tories, allowing communities to train together in the classroom: 

• 4 courses on cyber and incident management 

• Promoting Community Cybersecurity 

• Essentials of Community Cybersecurity 

• Community Preparedness for Cyber Incidents 

• Community Cybersecurity Exercise Planning. 

• 1 course specifically addressing both physical and cybersecurity 

• Physical and Cybersecurity for Critical Infrastructure. 
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• 10 on-line courses, available at no cost to individuals, designed for 3 levels of 
student, including: 

• 3 courses for General Users, covering broadly-applicable awareness needs 

• 4 course for Information Technology staff and specialists, addressing security, 
forensics, and response techniques for IT systems 

• 3 courses for Business Management staff that include Risk Management and 
legal parameters critical to small businesses. 

In addition to training, TEEX also provides technical assistance, offering commu- 
nity and organizational vulnerability assessments and compliance reviews. Vulner- 
ability assessments include network vulnerability testing, review and validate IT se- 
curity processes, and review IT system security configurations, while compliance re- 
views include organizational policy conformance reports and recommendations to 
make their systems more secure. 

IMPLEMENTATION OF TEEX TRAINING PROGRAMS 

Over the last 5 years, TEEX has provided cybersecurity training for students in 
40 States and 5 territories, reaching a total of 32,290 students. These students 
trained both in the classroom and on-line. 

• Instructor-led training (delivered in local communities): 

• 345 deliveries to 8,413 students in the United States 

• 31 deliveries to 815 students in Texas. 

• Online training: 

• 23,877 students in the United States 

• 4,264 students in Texas 

• 50 students in TX District 4. 

FUTURE OF TEEX TRAINING PROGRAMS 

As we move forward, we will continue to work closely with States and local com- 
munities in identifying their needs and supporting their efforts. States have re- 
ported through the annual National Preparedness Reports, beginning in 2012, that 
cybersecurity is a key National area of improvement, listing it as a top priority in 
2014 and 2015. Some of our recent work in support of the States includes: 

• Working with States to provide employee training web portals with direct ac- 
cess to State-identified required on-line cyber training and reporting capabilities 
for States to monitor employee progress in completing the courses. Student 
training portals are now active for the States of Arkansas, Louisiana, and Wyo- 
ming, as well as Fresno Pacific University in California. 

• Most recently, as a member of the National Cybersecurity Preparedness Consor- 
tium (NCPC), consisting of 5 partners focused on training for State and local 
communities, TEEX is developing new training on the integration of cybersecu- 
rity into the local Emergency Operations Center (EOC). Through FEMA 
NTED’s Continuing Training Grants, TEEX will develop 2 hands-on courses, 
with simulated scenarios designed to develop managerial and operational-level 
skills sets. The first course, now in development and piloted in Utah and Rhode 
Island, is designed to help ensure that traditional emergency management per- 
sonnel and IT personnel recognize the importance of working together to miti- 
gate the effects of a cyber incident. A second, more technical, course will follow 
and will provide students with the key skills and processes needed to more ef- 
fectively defend their organizational networks. 

In summary, we will continue to focus on how we can further assist and prepare 
local entities for a cyher incident, as well as enhancing engagement with the public 
and private sectors in planning and response to a cyber incident. 

Mr. Ratcliffe. Thank you, Mr. Davis. 

The Chair now recognizes Chief Greif for his opening statement. 

STATEMENT OF SAM GREIF, CHIEF, PLANO FIRE-RESCUE 
DEPARTMENT, PLANO, TEXAS 

Mr. Greif. Good morning, Chairman Ratcliffe, Representative 
Burgess. Today I thank you for the opportunity to represent the 
International Association of Fire Chiefs to discuss this important 
topic. 

Cyher crime and cyher attacks are an ever-increasing threat to 
the American homeland. However, fire and emergency services are 
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still learning how to recognize these threats and the adverse effects 
of those to our operations. There have been attempts to use 
robocalls and other service attacks that would affect operations of 
9-1-1 public safety answering points. In addition, we have seen re- 
cent examples of cyber attacks against hospitals in California, Ken- 
tucky, and the Washington, DC area. 

The greater concern is that a cyber attack can be used in con- 
junction with kinetic bombing or an active-shooter incident to cre- 
ate confusion during the response. Fire and EMS departments 
must be vigilant for malware, phishing, spam, spyware, and other 
new and diverse threats. The keys to successful cybersecurity ef- 
forts for fire and EMS departments are multifaceted. 

We need to harden and test systems, stay aware of and informed 
by our new threats, and make sure that the staff are trained and 
prepared to prevent and to respond to a cyber incident. It is vital 
that fire and EMS departments take steps to protect themselves. 

During my tenure with the Fort Worth Fire Department, I 
oversaw our Fire Communications Division. In order to protect our 
computer-aided dispatch and 9-1-1 systems, IT departments seg- 
regated them from the outside world. This reduced their vulner- 
ability. We updated the systems by testing updates and manually 
installing them on our servers. 

To protect the PSAPs, departments have to constantly test the 
9-1-1 system vulnerabilities to make sure that they can withstand 
a concerted service attack. PSAPs also should be constructed se- 
curely from the outside attacks and have resilient systems as back- 
up. 

As public safety communications move to digital systems, they 
can become vulnerable to cyber attacks. These communication sys- 
tems must be secured. Fire and EMS departments also must stay 
aware of new threats. State and local fusion centers can provide in- 
formation about cyber threats. In addition. Federal information- 
sharing systems like the Homeland Security Information Network 
are good sources of cyber information for fire and EMS chiefs. 

Fire and EMS chiefs also should develop close working relation- 
ships with their local law enforcement, emergency managers, IT de- 
partments, and the surrounding jurisdictions. At Fort Worth, I 
worked with the local police and intelligence communities to stay 
aware of these threats. In Plano, I meet monthly with the police 
chief, the public safety communications director, the emergency 
management director, and among our discussions is how to im- 
prove and secure our communications systems. 

Major events require regional planning. For Super Bowl XLV in 
2011, we developed a multi-county consortium and developed a 
communications plan that actually included response to cyber ter- 
rorism. 

Finally, training and exercises are key to preventing and re- 
sponding to an incident. Antivirus software must be kept up-to- 
date. Staff should adopt preparedness and a culture to not put on 
any links to malware, spyware, or other threats. Fire and EMS 
chiefs also can study the effects of cyber attacks and other public 
safety and private organizations and learn how to mitigate the con- 
sequences before they occur. 
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The Federal Government can be an important partner in a Fed- 
eral cybersecurity regime. Many fire departments are not aware of 
the threat that they face. DHS can work with the U.S. Fire Admin- 
istration and the National Fire Academy to develop standards and 
training for all fire and EMS departments. Fire chiefs recommend 
that the U.S. Fire Administration’s budget be restored to the fiscal 
level of 2011, which was $45.6 million, in order to facilitate this 
type of educational effort. In addition, DHS can continue to fund 
the State Homeland Security Grant Program and the Urban Area 
Security Initiative, also known as UASI. These programs support 
their operations. In addition, these grants can be used to fund 
cyber components to regional training. Unfortunately, the adminis- 
tration’s fiscal year 2017 budget request would impose Draconian 
cuts on these programs. The State Homeland Security Grant Pro- 
gram will be cut by more than 50 percent, and the UASI program 
would be cut by 45 percent. We recommend that these programs 
be funded at least to the fiscal year 2016 level of $467 million for 
State Homeland Security Grant Program and $600 million for 
UASI. 

Thank you for the opportunity to represent Fire and Emergency 
Services at today’s hearing. Local fire and EMS departments must 
take necessary precautions to protect themselves from this new and 
emerging threat. In addition, the Eederal Government can provide 
critical information, education, and practical training about the 
threat of cyber attacks. 

I look forward to answering any questions you may have. 

[The prepared statement of Mr. Greif follows:] 

Prepared Statement of Sam Greif 
April 7, 2016 

Good morning, Chairman Ratcliffe, Ranking Member Richmond, and Members of 
the subcommittee. I am Chief Sam Greif of the Plano Fire-Rescue Department. 
Today I am pleased to testify on behalf of the International Association of Fire 
Chiefs. The lAFC represents more than 11,000 leaders of the Nation’s fire, rescue, 
and emergency medical services. Thank you for the opportunity to discuss important 
issues related to cybersecurity and the fire and emergency service. This is a growing 
threat that adds yet another mission for the America’s firefighters and emergency 
medical personnel. 


the problem of cybersecurity 

Cyber crime and cyber attacks are becoming a more prevalent threat to the Amer- 
ican homeland. A 2010 report by Norton found that two-thirds of the world’s popu- 
lation have been the victim of some form of cyber crime. A 2009 study by McAfee 
demonstrated that cyber crime, including security breaches and data theft, may 
have cost international business has much as $1 trillion. We have seen how cyber 
attacks can harm major universities, medical facilities, financial institutions, retail- 
ers, local governments, and Federal agencies. 

The fire and emergency service is just beginning to recognize how these threats 
can affect our operations. There have been attempts to use robocalls and other de- 
nial-of-service attacks to affect operations at 9-1-1 Public Safety Answering Points 
(PSAP). Just recently, we have seen a rash of cyber attacks against hospitals in 
California, Kentucky, and the Washington, DC area. In addition, we always must 
be vigilant for malware, phishing, spammers, and spyware which are aimed at infil- 
trating and debilitating our systems. 

From the fire and emergency service’s perspective, it is important that we protect 
vital systems that support our operations. The 9-1-1 systems are necessary for the 
public to call and request assistance during emergency situations. Computer-aided 
dispatch (CAD) systems are essential for determining which units are available to 
respond and assigning them to an incident scene. These units must be able to com- 
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municate with the dispatch center, command units and each other effectively at the 
incident scene. In addition, patient reporting information must be protected by the 
emergency medical service (EMS), because of the nature of the data. As the Nation 
transforms to a more digital world and the “Internet of Things,” all of these capa- 
bilities will be presented with an increasing number of opportunities to provide serv- 
ice to our citizens and a corresponding number of vulnerabilities to cyber threats. 

PROTECTING THE FIRE AND EMERGENCY SERVICE 

As they consider the various threats to their computer systems, fire and EMS de- 
partments must take steps to protect themselves. Before I became fire chief in 
Plano, I served for 30 years in the Fort Worth Fire Department, where I oversaw 
the city’s 9-1-1 center for 10 years. One of our major missions was to protect our 
CAD and 9-1-1 systems from cyber attacks. To protect our systems, we segregated 
them from the outside world. This action minimized the ability of outsiders to com- 
promise our systems through the internet. To update our systems, we would have 
to go to the server and install software manually. It is important to recognize, 
though, that most of a fire and EMS department’s computer systems, like human 
resources, email, and finance, will be part of the overall jurisdiction’s information 
technology (IT) systems. 

Fire and EMS departments also have to take steps to harden their systems. In 
order to protect their 9-1-1 systems from massed robocalls aimed at taking down 
the system, the departments have to constantly test their systems’ vulnerabilities 
to make sure that they can withstand heavy call volumes. The fire departments also 
have to download and use a testbed to evaluate all software before installing it. It 
is important to realize that — as communications systems move to digital systems 
that use VoIP — these systems need to be secure from cyber attacks that might com- 
promise life-saving operations on the fire scene. In addition, 9-1-1 Public Safety An- 
swering Points (PSAP) should be constructed to be secure from outside attacks and 
have resilient systems and back-up power. 

As with other threats, local fire and EMS chiefs must stay aware of new threats 
and prepare for them. The best way to stay informed is to develop relationships 
with intelligence fusion centers, Federal officials and local law enforcement. If fire 
and EMS departments can support the staffing requirements, they should have per- 
sonnel stationed at the State and local fusion centers. Grants administered by the 
Federal Emergency Management Agency (FEMA), including the State Homeland Se- 
curity Grant Program (SHSGP) and Urban Areas Security Initiative (UASI), will 
support fire and emergency service personnel in fusion centers. Fire and EMS de- 
partments also should maintain close relationships with local Joint Terrorism Task 
Forces. These resources will keep fire and EMS chiefs informed on the latest cyber 
threats and help them address any vulnerabilities. 

It also is important to develop close working relationships with local law enforce- 
ment officials. In Fort Worth, I worked with the local police intelligence unit, which 
was aware of new threats to the community. In Plano, the public safety group, com- 
posed of the city communications director, the police chief, the emergency manager 
and me, meet monthly to discuss threats and how to prepare for them. 

Federal information-sharing systems, like the Homeland Security Information 
Network (HSIN), also can provide important information about cyber threats and 
how to prepare for them. HSIN is a National, secure, web-based portal for informa- 
tion sharing and collaboration between Federal, State, local, Tribal, territorial, and 
private-sector partners. HSIN has a community of interest dedicated to the fire and 
emergency service. The U.S. Department of Homeland Security (DHS) must make 
sure that cybersecurity-related information is added to this community of interest, 
so that local fire and EMS chiefs can access it. 

Since fire and EMS departments depend on mutual aid to respond to major inci- 
dents, they should address cybersecurity concerns as part of their planning and 
training. Communications must be interoperable during an incident; a breakdown 
in communications or dispatch systems during an incident could cause confusion at 
a critical time. To address this risk, the North Central Texas Council of Govern- 
ments addressed cybersecurity as part of its interoperability plans. For Super Bowl 
XLV in 2011, the Multi-Quad County Consortium developed a communications plan 
that addressed cybersecurity concerns and developed plans for responding to a cyber 
attack. 

Finally, training and exercises are key to preventing and responding to an inci- 
dent. One of the basic ways to protect computer systems is to train staff not to click 
on spamware, malware, or spoofing attacks. In addition, fire and EMS departments 
must ensure that all of their virus software is up-to-date. These are simple tasks 
that can protect a system. Fire and EMS departments also can audit their systems 
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to evaluate vulnerabilities. It also is worthwhile to study the effects of cyber attacks 
on other public safety organizations to see how their operations were affected and 
what they did to mitigate the damage. Local fire and EMS departments can work 
with local law enforcement agencies, emergency managers and the jurisdictions’ IT 
staff to plan and exercise contingency plans in case of cyber attacks aimed at taking 
down key systems. 

THE FEDERAL GOVERNMENT’S ROLE 

The Federal Government can be an important partner. Most importantly, it can 
help educate fire and EMS departments about the cybersecurity threat. The DHS’s 
Office of Cybersecurity and Communications (C&SC) can work with FEMA to raise 
awareness in local fire departments about the threats that cyber attacks can pose. 
The U.S. Fire Administration (USFA) is an agency within FEMA that supports the 
local fire and emergency service. By working with USFA and its National Fire Acad- 
emy, C&SC can develop education and training to help fire and EMS departments 
learn how to determine which systems might be vulnerable to cyber attacks and 
make the necessary changes to protect them. It is important to note that the Presi- 
dent’s fiscal year 2017 budget proposes to cut USFA by $1.7 million. We recommend 
that — instead — Congress fund USFA at the fiscal year 2011 level of $45.6 million, 
so that the agency can develop training for emerging threats like cybersecurity. 

Also, DHS can continue to support training and exercises to help fire and EMS 
departments prepare for the threat of a cyber attack. A cyber-related component can 
be added to the State and local exercises. In addition, DHS should continue to sup- 
port State and local fusion centers, which serve an important purpose in sharing 
threat information. These programs are funded though the SHSGP and UASI pro- 
grams. Unfortunately, the President’s fiscal year 2017 budget proposes to cut these 
programs drastically. The budget would cut the SHSGP program to $200 million (a 
decrease of more than 50%) and the UASI program would be cut to $330 million 
(a 45% cut). We urge Congress to fund these programs — at least — at the fiscal year 
2016 level of $467 million for the SHSGP program and $600 million for the UASI 
program. 

Recently, the DHS National Protection and Programs Directorate (NPPD) an- 
nounced a proposal to realign itself to have a greater focus on cybersecurity. Over- 
all, the lAFC is supportive of this proposal. However, we have concerns about how 
this realignment would affect the Office of Emergency Communications (OEC). The 
OEC’s mission is to promote public safety communications interoperability using a 
local stakeholder-directed approach. The lAFC and other public safety organizations 
do not support efforts to move OEC under the Infrastructure Security component. 
Instead, we recommend that OEC remain a separate component within NPPD. 

CONCLUSION 

Thank you for the opportunity to testify at today’s hearing. Cybersecurity is an 
issue of growing importance to the Nation. A breakdown of a fire and EMS depart- 
ment’s CAD or communications system during the response to an incident could re- 
sult in tragic consequences. It is important that local fire and EMS departments 
strengthen their systems to protect them. In addition, fire and EMS chiefs should 
develop strong working relationships with Federal, State, and local law enforcement 
officials to be aware of emerging threats. Finally, local fire and EMS chiefs should 
make sure that their staff are trained in basic cybersecurity safety, and plan and 
exercise for the consequences of a successful cyber attack. Taking these necessary 
precautions should help local fire and EMS departments to adapt to this emerging 
threat. 

Mr. Ratcliffe. Thank you, Chief Greif. 

The Chair now recognizes Lieutenant Wilson for his opening 
statement. 

STATEMENT OF RICHARD F. WILSON, LIEUTENANT, DALLAS 
POLICE DEPARTMENT, DALLAS, TEXAS 

Mr. Wilson. Good morning, sir. Chairman Ratcliffe, Mr. Bur- 
gess, thank you and Ranking Member Richmond for the oppor- 
tunity to testify today. 

The challenges faced hy law enforcement at the local level in pre- 
paring for and preventing cyher attacks are on the rise and con- 
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tinue to be difficult. While all Americans recognize our dependence 
on the internet and telecommunications devices to stay connected 
with the world, this increasing level of connectivity has resulted in 
additional responsibilities for public officials and law enforcement 
to police the world-wide communications network without impeding 
communications between the members of our community. 

The first and perhaps most difficult challenge the Dallas Police 
Department and our community partners face today is our total re- 
liance on computer networks for operational and investigative func- 
tions. This all-inclusive dependence allows for a much greater neg- 
ative impact on our abilities to perform our duties when these sys- 
tems fail or become infected. 

Second, the extent of this connectivity enables persons and orga- 
nizations with malicious intent to conduct cyber attacks from great- 
er distances. This ability for a hacker to attack systems world-wide 
expands the list of possible suspects to all of the world’s population 
that possess a smartphone or computer that is connected to the 
internet. 

Third, the quantity of information passing through all commu- 
nications networks allows hackers to avoid the trained systems an- 
alysts and target their attacks to enter networks at their weakest 
points, by exploiting lapses in security committed by end-users or 
consumers. 

Since cyber attacks recognize no State and local jurisdictional 
boundaries, public officials and corporate managers must coordi- 
nate their investigative and management processes to define roles 
for all the partners. 

The pace at which technology continues to advance is currently 
outpacing law enforcement’s ability to educate its workforce to rec- 
ognize and address cyber crime activity. For those officials that do 
recognize the necessity to increase security infrastructures, and 
choose to develop or subscribe to cyber protection programs, the 
costs associated with these efforts often compete with funds re- 
quired to maintain other essential tasks within the organizations, 
where the impact from these other functions can be more readily 
counted and observed by such measures as crime rates and re- 
sponse times to calls for service. 

For those State and local agencies that commit funds for hiring 
cyber-trained personnel, these agencies are often unable to compete 
financially with compensation packages and programs offered by 
private corporations and Federal agencies. 

Lastly, while most State and local agencies recognize their need 
to enhance cyber training for their existing workforce, the growing 
demand for cybersecurity and cyber investigative training far ex- 
ceeds the current class sizes and training opportunities. 

Cyber training is an expanding area of instruction that often pro- 
vides training to State and local partners at reduced costs or with- 
out tuition. While these programs reduce the direct costs of obtain- 
ing training for State, local, and Tribal employees, some indirect 
costs may result from committing a portion of the workforce to 
training. The student employee’s absence can produce temporary 
staffing shortages that may adversely affect the employer agency’s 
responsiveness to calls for service, visual presence and enforcement 
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activity in the community, and the ability to conduct timely inves- 
tigations of reported crimes. 

Due to the size and mission of the Dallas Police Department, and 
the wide range of assignment-based duties performed by DPD offi- 
cers and civilians, supervisors within each division or unit are re- 
sponsible for identifying job-specific training needs beyond State- 
mandated training requirements, and obtaining instruction for all 
employees within their workgroup. 

Currently, a variety of on-site cyber training courses are offered 
by organizations such as the Federal Law Enforcement Training 
Center in Georgia, the National Computer Forensics Institute in 
Alabama, and Abbott Laboratories in Illinois. Some examples of ad- 
ditional training that can be obtained on-line are SEARCH On-line 
training and at the National White Collar Crime Center. There are 
also additional training and support programs offered by other 
DHS components, FEMA and ICE, as well as the Multi-State Infor- 
mation Sharing and Analysis Center. 

While detectives and analysts from the Dallas Fusion Center 
have been able to attend some of these training programs, there 
are always challenges for a first responder organization like the 
Dallas Police Department. As such, our core capabilities at the Dal- 
las Fusion Center are always subject to staffing patterns, personnel 
changes, and other policy considerations, so that to keep our level 
of current cyber expertise consistent and on the cutting edge we 
need affordable access to cost-effective and timely training to stay 
on the vanguard. 

Having said that, I think we can all agree that this challenge is 
one we face as a Nation, and not just in a select few States, re- 
gions, or cities. It will take a full-time training effort and identified 
funding resources for the first responders of the Dallas Police De- 
partment and other major metropolitan cities across the country to 
stay current in our struggle to meet the increasing sophistication 
of cyber crime, especially in today’s threat landscape. 

While much progress has been made in identifying the needs of 
State, local. Tribal, and territorial agencies to address illegal cyber 
activity, opportunities do still exist to create cyber preparedness 
and responsiveness at the local level. 

The first area of support should be to provide increased scholar- 
ship support of formal education programs that contain emphasis 
on cybersecurity and cyber forensics. Funding for training is always 
an issue in the budgets of State, local, and Tribal agencies. 

Second, education and public service announcements should be 
developed and communicated by all levels of government to all 
Americans to clarify the importance of each citizen’s role and re- 
sponsibilities for creating a safer cyber network. This type of com- 
munity outreach should emphasize the importance of hardening 
computer systems and provide tips for using technology in ways 
that reduce opportunities for computer hackers and criminals who 
benefit from security lapses. 

Third, until the gap between training opportunities supply is re- 
duced to match the increasing need for training, additional facili- 
ties and programs should be created to provide training to State, 
local, and Tribal government employees. 
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Last, I would urge each Member of Congress to continue to cre- 
ate legislation as necessary to address emerging methods of cyber 
crime activity as they are identified and require stiff incarceration 
sentences for those convicted of committing cyber crimes. 

Thank you again, Chairman Ratcliffe and Mr. Burgess, for the 
opportunity to testify before you today. I would be glad to answer 
any questions. 

[The prepared statement of Mr. Wilson follows:] 

Prepared Statement of Richard F. Wilson 
April 7, 2016 

Chairman Ratcliffe, Ranking Member Richmond, Members of the subcommittee, 
thank you for the opportunity to testify today. 

The challenges faced by law enforcement at the local level in preparing for and 
preventing cyber attacks are on the rise, and continue to be difficult. While all 
Americans recognize our dependence on the internet and telecommunication devices 
to stay connected with the world, this increasing level of connectivity has resulted 
in additional responsibilities for public officials and law enforcement to police the 
world-wide communications network without impeding communications between all 
members of their community. 

The first and perhaps most difficult challenge the Dallas Police Department and 
our community partners face today, is our total reliance on computer networks for 
operational and investigative functions. This all-inclusive dependence allows for a 
much greater negative impact on our abilities to perform our duties when these sys- 
tems fail or become infected. 

Second, the extent of this connectivity enables persons and organizations with ma- 
licious intent to conduct cyber attacks from greater distances. This ability for a 
hacker to attack systems world-wide expands the list of possible suspects to all of 
the world’s population that possess a smartphone or computer connected to the 
internet. 

Third, the quantity of information passing through all communications networks 
allows hackers to avoid the trained systems analysts, and target their attacks to 
enter networks at their weakest points, by exploiting lapses in security committed 
by end-users or consumers. 

Since cyber attacks recognize no State and local jurisdictional boundaries, public 
officials and corporate managers must coordinate their investigative and manage- 
ment processes to define roles for all partners. 

The pace at which technology continues to advance is currently outpacing law en- 
forcement’s ability to educate its workforce to recognize and address cyber crime ac- 
tivity. For those officials that do recognize the necessity to increase security infra- 
structures, and choose to develop or subscribe to cyber protection programs, the 
costs associated with these efforts often compete with funds required to maintain 
other essential tasks within the organizations, where the impact from these other 
functions can be more readily counted and observed by such measures as crime 
rates and response times to calls for service. 

For those State and local agencies that commit funds for hiring cyber-trained per- 
sonnel, these agencies are often unable to compete financially with compensation 
packages and programs offered by private corporations and Federal agencies. 

Lastly, while most State and local agencies recognize their need to enhance cyber 
training for their existing workforce, the growing demand for cybersecurity and 
cyber investigative training far exceeds the current class sizes and training opportu- 
nities. 

Cyber training is an expanding area of instruction that often provides training to 
State and local partners at reduced costs or without tuition. While these programs 
reduce the direct costs of obtaining training for State, local, and Tribal employees, 
some indirect costs may result from committing a portion of the workforce to train- 
ing. The student employee’s absence can produce temporary staffing shortages that 
may adversely affect the employer agency’s responsiveness to calls for service, visual 
presence, and enforcement activity in the community, and the ability to conduct 
timely investigations of reported crimes. 

Due to the size and mission of the Dallas Police Department, and the wide range 
of assignment-based duties performed by DPD officers and civilians, supervisors 
within each division or unit are responsible for identifying job-specific training 
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needs beyond State-mandated training requirements, and obtaining instruction for 
all employees within their workgroup. 

Currently, a variety of on-site cyber training courses are offered by organizations 
such as the Federal Law Enforcement Training Center in Georgia, the National 
Computer Forensics Institute in Alabama, and Abbott Laboratories in Illinois. Some 
examples of additional training that can be obtained on-line are, SEARCH On-line 
training and at the National White Collar Crime Center. There are also additional 
training and support programs offered by other DHS components FEMA and ICE, 
as well as the Multi-State Information Sharing & Analysis Center. 

While detectives and analysts from the Dallas Fusion Center have been able to 
attend some of these training programs, there are always challenges for a first re- 
sponder organization like the Dallas Police Department. 

As such, our core capabilities at the Dallas Fusion Center are always subject to 
staffing patterns, personnel changes, and other policy considerations, so that to keep 
our level of current cyber expertise consistent and on the cutting edge, we need af- 
fordable access to cost-effective and timely training to stay on the vanguard. 

Having said that, I think we can all agree that this challenge is one we face as 
a Nation, and not just in a select few States, regions, or cities. 

It will take a full-time training effort and identified funding resources for the first 
responders of the Dallas Police Department, and other major metropolitan cities 
across the country, to stay current in our struggle to meet the increasing sophistica- 
tion of cyber crime, especially in today’s threat landscape. 

While much progress has heen made in identifying the needs of State, local. Trib- 
al, and territorial agencies to address illegal cyber activity, opportunities to create 
cyber preparedness and responsiveness at the local level do still exist. 

The first area of support should be to provide increased scholarship support of for- 
mal education programs that contain emphasis on cybersecurity and cyber forensics. 
Funding for training is always an issue in the budgets of State, local, and Tribal 
agencies. 

Second, education and public service announcements should be developed and 
communicated by all levels of government to all Americans, to clarify the impor- 
tance of each citizen’s role and responsibilities for creating a safer cyber network. 
This type of community outreach should emphasize the importance of hardening 
computer systems, and provide tips for using technology in ways that reduce oppor- 
tunities for computer hackers and criminals who benefit from security lapses. 

Third, until the gap between training opportunities supply is reduced to match 
the increasing need for training, additional facilities and programs should be cre- 
ated to provide training to State, local, and Tribal government employees. 

Last, I would urge each Member of Congress to continue to create legislation as 
necessary to address emerging methods of cyber crime activity, as they are identi- 
fied, and require stiff incarceration sentences for those convicted of committing 
cyber crimes. 

Thank you again Chairman Ratcliffe and Ranking Member Richmond for the op- 
portunity to testify before you today. I would be glad to answer any questions. 

Mr. Ratcliffe. Thank you, Lieutenant Wilson. 

The Chair now recognizes Detective Waddle for his opening 
statement. 

STATEMENT OF DON WADDLE, DETECTIVE (RET.), 

GREENVILLE POLICE DEPARTMENT, GREENVILLE, TEXAS 

Mr. Waddle. Good morning, Chairman Ratcliffe and Mr. Bur- 
gess. I thank you for the opportunity to speak with you all today. 

I served as a police officer in both the military and civilian police 
departments for 39 years. The last 25 years were spent with the 
Greenville Police Department in Greenville, Texas. The last 15 
years I was also assigned to the Criminal investigation Division 
working property crimes and fraud. Fraud often involves the use 
of computers to facilitate those crimes. Checks are generated and 
printed on computers. Credit card abuse and identity theft are 
often committed using the internet. 

I did retire from law enforcement on the 31st of last month and 
am now trying to settle into the quiet life. 
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During the last 10 years I have also been assigned to the North 
Texas Electronic Crimes Task Force with the United States Secret 
Service and worked side-by-side with both special agents of the Se- 
cret Service and with numerous State and local investigators. We 
were all trained to recover evidence from computers and cell 
phones, and we do these examinations from agencies throughout 
North Texas. These cases involve anything from fraud, to narcotics, 
to child pornography, to murder, and capital murder. I have testi- 
fied in trials from possession of child pornography, to enticing a 
child, to murder, and capital murder. 

As I look back at my career in law enforcement, I remember 
going to a call for a burglary, throwing some dust around and hop- 
ing that the perpetrators didn’t get guns or the victims’ checkbooks 
or credit cards. As time moved forward, computers and cell phones 
came into the game, and then my concern was, did they get the vic- 
tims’ computer passwords for their I-pads or their cell phones? It 
was obvious to me that for me to provide better service to the peo- 
ple of my city, I had to know how to catch the criminals and what 
they were doing, and what I needed to do to be able to present a 
case that would put these criminals in jail. 

Computer crime investigation is not an inexpensive pursuit. All 
of the software programs that you use for investigations are all 
very expensive. All of them have licenses that have to be renewed 
every year, and the monetary cost to a city of my size can be any- 
where from $300 a year to tens of thousands of dollars a year for 
the software and equipment to do these investigations. 

We needed help. There was no way that we were going to be able 
to do that. That is where the Secret Service and Federal Govern- 
ment stepped in. They helped us help our citizens by providing us 
with training, equipment, and expertise. Because of the training I 
received, I became a more valuable asset to my department. I was 
sought out by other detectives for help with their investigations. In 
major crimes I have used the training I have received to assist with 
murder investigations by mapping out locations perpetrators used 
to hide their victims’ bodies, or to helping detectives plot computer 
searches that outlined their case to intelligence for narcotics inves- 
tigators. 

I am also called on to assist other local agencies with their inves- 
tigations. They have used the information I provided to prepare 
their cases for prosecution. I am also called on by the prosecutors 
to answer questions regarding computer crime. Had I not had this 
training, I would not have made the new contacts that I had that 
have been very beneficial to me. 

In early 2006 I went to the United States Secret Service office, 
the Dallas field office, to drop off a computer for examination. I 
knew nothing about computers at that time. I spoke with Bob Shef- 
field, who was the head of the Electronic Crimes Special Agent Pro- 
gram there in the Dallas field office and the North Texas Electronic 
Crimes Task Force at the Dallas field office, and was telling him 
how interested I was in learning about forensics. He plainly said, 
“We can do that for you.” I went to the Federal Law Enforcement 
Training Center in Brunswick, Georgia for 6 weeks learning about 
computers and computer forensics. This was prior to the National 
Computer Forensics Institute. 
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In that training I learned what a computer was, what the pro- 
grams on a computer were, what their purposes were, and the 
overall operation of the computer, and I learned how to look for evi- 
dence of a crime. 

After that I went to the National Computer Forensics Institute 
in Hoover, Alabama. I started to go to the training there. I went 
to Advanced Forensics Training there. I went to the first class, 
which was one of the very first classes at the Institute of any kind, 
so there was a little bit of tweaking that needed to be done, and 
then I went back and learned a great deal that helped me towards 
my computer forensics. 

I also went to the Mobile Device Data Recovery school, or MDDR, 
which is cell phone training, and also just this last February went 
to Mac Forensic Training at the NCFI. The NCFI has worked very 
hard to give State and local officers like me a good, quality edu- 
cation and lots of tools for my toolbox and are always there to an- 
swer questions. I can call up there at any time if I have a question 
about something, and there is just somebody there who is going to 
be able to answer that question. 

The instructors that they have are all very expert in their field, 
and they work very hard to provide all of us with the proper train- 
ing that we need to be able to do our jobs. You don’t have to be 
on a level way above our heads to talk to us. 

I think that probably the best training that I ever received in my 
39 years of law enforcement was there at NCFI. I walked away 
from each class very confident in what I had learned and was able 
to put all those things back into practice and was able to do those 
things, and I am grateful for that. I am grateful to the Federal 
Government for providing that kind of tool. 

I would encourage giving thought to increasing the size of those 
classes that were offered at the facility because cyber crime is not 
going to do anything but increase. I have 2 trials coming up later 
this month that come from the investigations and the training that 
I got from the NCFI. 

I want to thank you for your time today. 

Oh, one other thing I wanted to say is that I am grateful for the 
training that I received, but my citizens have been the major bene- 
factors of that training because I was able to do a better job for 
them. 

The other thing I really liked about NCFI is that they didn’t just 
work with law enforcement officers. They also work with judges 
and prosecutors to help them understand about cyber crime and 
what is happening there so they are able to do their jobs more effi- 
ciently, too. 

I am thankful for the time that you all have given me to talk 
today, and I appreciate the opportunity that I have to say some- 
thing about this. 

[The prepared statement of Mr. Waddle follows:] 

Prepared Statement of Don Waddle 
April 7, 2016 

I served as a police officer in both military police and civilian police departments 
for 39 years. The last 25 years were spent with the Greenville Police Department 
in Greenville, Texas. The last 15 years I was assigned to the Criminal Investigation 
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Division working Property Crimes and Fraud. Fraud often involves the use of com- 
puters to facilitate the crime. Checks are generated and printed on computers. Cred- 
it card abuse and identity theft are often committed using the internet. I retired 
from law enforcement on March 31, 2016. During the last 10 years I have also been 
assigned to the North Texas Electronic Crimes Task Force with the United States 
Secret Service in Dallas, Texas. In this assignment I have worked side-by-side with 
special agents of the Secret Service and with numerous State and local investiga- 
tors. We are all trained to recover evidence from computers and cell phones, and 
we do these examinations from agencies throughout North Texas. These cases in- 
volve anything from fraud to narcotics to child pornography to murder and capital 
murder. I have testified in trials from possession of child pornography, to enticing 
a child, to murder and capital murder. 

As I look back at my career in law enforcement, I remember going to a call for 
a burglary, throwing some dust around and hoping that the perpetrators didn’t get 
guns or the victims checkbook or credit cards. As time moved forward computers 
and cell phones came into being and on that same burglary, I now had to hope the 
perpetrators did not get the victims’ computer passwords or their cell phones. If that 
happened there was no telling, how much the victim would end up being victimized. 
It was obvious, that for me to provide better service for the people of my city, I had 
to know how to catch the criminals that were committing these offenses. Computer 
crime investigation is not an inexpensive pursuit. The monetary cost to the city for 
training and equipment, can be anywhere from $300 dollars a year to tens of thou- 
sands of dollars a year. We needed help. That is where the U.S. Secret Service and 
Federal Government come in. They helped us help our citizens by providing us with 
training, equipment, and expertise. Because of the training I received, I Became a 
more valuable asset to my department. I was sought out by other detectives for help 
with their investigations. In major crime I have used the training I have received 
to assist with murder investigations by mapping out locations perpetrators used to 
hide their victims bodies, to helping detectives plot computer searches that outlined 
their case, to intelligence for narcotics investigators. I am also called on to assist 
other local agencies with their investigations. They have used the information I pro- 
vided to prepare their cases for prosecution. I am also called on by the prosecutors 
to answer questions regarding computer crime. Had I not had this training, I would 
not have made new contacts that could be beneficial for me as well. 

In early 2006, I went to the United States Secret Service, Dallas Field Office to 
drop off a computer for examination. While at the office and lab, I spoke with Bob 
Sheffield who was the head of the Electronic Crimes Special Agent Program 
(ECSAP) and The North Texas Electronic Crimes Task Force (N-TEC) at the Dallas 
Eield Office, and was telling him how interested I was in learning about forensics. 
Mr. Sheffield plainly stated “We can do that for you.” I went to the Federal Law 
Enforcement Training Center in Brunswick Georgia, for 6 weeks learning about 
computers and computer forensics. Shortly after completing this training the Na- 
tional Computer Eorensics Institute (NCFI) was opened in Hoover, Alabama. I start- 
ed to go to the training at NCEI, and have been to Advanced Forensics Training 
(AFT), Mobile Device Data Recovery (MDDR) cell phone training, and Mac Forensic 
Training. The NCFI has a solid outline of what is needed for each class. They strive 
hard to provide very qualified instructors, who make every effort to give each stu- 
dent all they need to be qualified to do their job. The equipment NCFI provides and 
the equipment used for the classes is some of the very best that can be used. Not 
only is there discussion of ways to conduct a forensic investigation but discussion 
also covers court procedure and testifying. I have also been to numerous conferences 
related to electronic crime and have always come away with something new. I am 
not the main benefactor of this training. The citizens of Greenville, Texas and Hunt 
County, Texas, as well as the north Texas area reap the benefits of this training 
with better recovery rates for property as well as more perpetrators being taken off 
the streets. NCFI also trains prosecutors and judges in protocols and also in evi- 
dence. 

Mr. Ratcliffe. Thank you, Detective Waddle. 

I will now recognize myself for an initial round of questions for 
our distinguished panel. 

Let me start with you, Mr. Davis. As you know, prior to being 
elected to Congress, I served on the Advisory Board at TEEX, and 
so I am very familiar with your organization. It is the largest 
homeland security training facility in the world, I think some 
200,000 folks a year. 
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Mr. Davis. Yes, sir. That is exactly correct. 

Mr. Ratcliffe. So it is just a terrific organization, and again I 
am thankful that you are here today. 

So in your capacity there at TEEX, I would he interested in your 
perspective on what are the key challenges with cyhersecurity 
training at the local level going forward. 

Mr. I)avis. Yes, sir. Thank you. Eirst of all, to your comments re- 
garding TEEX, because we are serving and extension is part of our 
mission, I would think that my perspective is the awareness issue 
that training is available that is DHS/EEMA-funded training, sir. 
I reeled off some numbers of 32,000 that we have trained across 
the United States, but when we look at what portion of those num- 
bers come from the State of Texas, for example, or if I go to State 
and local districts, those numbers are very, very small. 

So I think the issue is the awareness in accessing that training 
that is available. One of my fellow panel members mentioned the 
need for training, and of course I passed my cards out here. But 
we go to those jurisdictions so they don’t have to spend any money 
sending them to us. We do direct-delivery, face-to-face training. 

So the short answer to your question is awareness and access- 
ing — not access, but accessing 

Mr. Ratcliffe. So as a follow-up, do you know that even here 
in this audience there are a whole bunch of local community rep- 
resentatives that could be the beneficiaries of that type of cyber 
training TEEX offers? So how can they get it? 

Mr. I5avis. Yes, sir. We have on-line training at www.teex.org. If 
you go on our website you will see a section on cyhersecurity train- 
ing, and anyone that is in this audience can, in fact, access that 
training on-line. 

Mr. Ratclifee. So, a follow-up question. Is TEEX right now in 
a position to — or how is TEEX leveraging any relationships or part- 
nerships with the Department of Homeland Security at the Na- 
tional level? 

Mr. Davis. Yes, sir, we are. I had some details in my statement. 
But first of all, we think it is always important to address any 
issue as a team. I think you used the team sport analogy there. 
There has recently been a reorganization of several entities at the 
DHS level to become more operationalized, okay? 

There is a young lady here with me today, Ms. Rebecca Tate. 
When we started doing cyber training back in 2010, we visited first 
with our program manager — ^back then it was also called NCSD, 
National Cyhersecurity Division — and the Infrastructure Protection 
Directorate. We went to them to talk about those things we were 
hearing from State and locals. 

So we met with them on a regular basis to actually find out what 
training needs did they see at the National level, and I am proud 
to say we are on our third course now that is a result of that col- 
laboration. We did a recent course in the States of Utah and Rhode 
Island that brings cyber and infrastructure protection together, and 
that is a direct result of our collaboration with those folks in DHS. 

Mr. Ratcliefe. Terrific. Thank you. 

Chief Greif, let me turn to you. You bring to us today a wealth 
of professional experience with different public safety organiza- 
tions. I know you are here today as a spokesman for the lAEC. So 
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let me ask you, when Congressman Burgess and I and others at 
the National level talk a lot about the importance and the need for 
coordination across critical infrastructure sectors to encourage 
cyber resilience, how are those efforts or how do those efforts im- 
pact public safety organizations at the State and local level like you 
have been involved with? 

Mr. Greif. For example, we have fusion centers that are often 
funded with Office of Emergency Communications funds. Those fu- 
sion centers allow all of the common agencies, the necessary agen- 
cies to mitigate any type of emergency situation, to come together 
with all stakeholders. The more we are coming together and shar- 
ing some information with one another, that would be one example 
of how that benefits us. At the National level, the funding trickles 
down to the local jurisdictions. 

As I said earlier about the Super Bowl, I had no idea until I was 
put on that committee just what-all goes into a major event like 
that, the planning with all the different agencies throughout the 4- 
county region that came together. We met monthly for a year just 
on my committee, which was communications. A big effort was 
talking about all the resources that were available to us, protection 
as well as workarounds, what to do in case of 

Mr. Ratcliffe. I am glad you mentioned that because as a fol- 
low-up and in your testimony you talked about it being worthwhile 
to study the effects of cyber attacks on public safety organizations. 
Are you aware of anyone who is putting together sort-of a best 
practices with respect to public safety organizations and cybersecu- 
rity practices? 

Mr. Greif. One of the efforts that is underway is I chair a — I am 
on the board of directors for a public safety communications agen- 
cy. The DHS has actually sent members a few times a year when 
we meet annually, and there is a panel of experts. It is made up 
of IT personnel, information technology people, as well as fire, po- 
lice, EMS, and they are working on a document just like that, that 
came out at last year’s meeting. 

So certainly it is on the forefront of our consciousness. We are 
doing everything we can to piggyback on Mr. Davis’ comments. It 
is knowing, understanding what is out there. There is some won- 
derful training available. It is getting personnel to understand that 
the fire and police, especially speaking for my brethren, that we 
understand the necessity for us to get involved in the critical ques- 
tions we need to be asking. 

Mr. Ratcliffe. Terrific. I noticed in your testimony you talked 
about segregating the CAT and the 9-1-1 systems for security pur- 
poses. Is that common? 

Mr. Greif. I can’t say for sure because I have only been a part 
of two jurisdictions, so I don’t want to get too specific, but I don’t 
believe that it is widely spread. We were very cautious where I 
came from. We wanted to make sure we took all reasonable means, 
even though that added some complexities to day-to-day life. The 
more you secure something, the harder it is sometimes to operate 
it or update it. But we felt it was worth the trouble to keep it seg- 
regated. 

Mr. Ratcliffe. Terrific. Thank you. 
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I do have some additional questions, but I want to yield to Con- 
gressman Burgess. As I mentioned, I am very grateful that he is 
here today at this subcommittee hearing. He represents the 26th 
Congressional District of Texas, which sounds like it is a long way 
away from the 4th District, but it is really next door. He represents 
all of Denton County and most of Tarrant County as well. He 
serves on the House Energy and Commerce Committee, and in that 
capacity he also is the Chairman of the Subcommittee on Com- 
merce, Manufacturing, and Trade, and he is very steeped in cyber- 
security issues. In that role he has been a leading voice in Con- 
gress on the data breach issues as cyber criminals focus on more 
fraudulent activity that affects more Americans and that affects 
commerce. He has been a leading voice with respect to the need for 
legislation in that area. 

So with that, I want to recognize Congressman Burgess and yield 
him as much time as he may consume to provide some remarks on 
the issue of data breach questions he may have for our panel. 

Mr. Burgess. Great. Thank you. Chairman. 

Thank you all for being here. Thank you for allowing me to be 
here. 

Chairman, it is not lost on me that this is a field hearing, and 
I am sure your district is grateful that you are doing it and you 
are here on the campus. Even though we are not in the Rayburn 
Room, Mr. Rayburn, this is his district. So it is fitting that we are 
here. 

I do serve as the Chairman of the Subcommittee on Commerce, 
Manufacturing, and Trade. We are concerned about data breach 
episodes that have occurred and the consequent notification that is 
or should be required for the protection of the consumer when 
these breaches do occur. So while Chairman Ratcliffe is Chairman 
of the subcommittee that deals with the .gov side of the world, we 
deal with the .com side of the world. But as I tell people all the 
time, it doesn’t really matter. Data security is National security, 
and if you forget that fact, then you are going to be upset at some 
point, which we all found last year at tax filing time and we rather 
expect it may come up again in a couple of weeks when the income 
taxes are filed and people realize that they can no longer file their 
taxes on-line because their accounts have been diverted in the past 
and monies have gone inappropriately. 

The good news is the taxpayer is eventually made whole. It does 
take longer for them to get their refund. The bad news is that the 
Federal Government actually is refunding that money twice. It is 
unlikely they will recover it for the individual who is inappropri- 
ately reimbursed, and this is no surprise because of the behavior 
of someone who would do that. Sometimes they over-estimate the 
amount of money they are doing that reimbursement. So it is kind 
of like a double-whammy for the IRS. I know we got a ton of calls 
on that last April 15. 

Mr. Wilson, I rather suspect that — a lot of our calls started to 
come from some of our local police agencies when our neighbors 
called the police department and said, oh my gosh, our taxes have 
been hacked and I have been robbed. They said, well, let’s call your 
Congressman and he will fix it. 

[Laughter.] 
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Mr. Burgess. True, but it took some time, and it was very un- 
comfortable all around. 

I really got interested in the data breach notification. All of us 
are consumers, and we hear the big stories about the big breaches, 
and then the data is taken. It is data that is at risk somewhere 
and you don’t really know what anyone is doing with it. But from 
the consumer’s perspective, when do we need to be notified? It al- 
most seems like we have breach fatigue because we hear so much 
about breaches. I am not going to worry about it anymore because 
I just can’t worry about all of these things that I am hearing. 

So we really did try to set the parameters around a National 
data security standard and for when that breach notification 
threshold should be triggered, and if law enforcement says we need 
more time, that they be given more time. But if law enforcement’s 
time frame is okay, then the person who was holding the data that 
has subsequently been breached, that they have a certain time 
frame in which they must notify the individual. Right now, the bill 
has passed through the subcommittee, our subcommittee and our 
full committee, and it is awaiting floor activity right now. That 
time frame is set at 30 days. 

In setting a National security standard, it is your duty to tread 
carefully because there are 51 State jurisdictions, if you include the 
District of Columbia, more if you include the territories, who may 
already have their own ideas about what these data security stand- 
ards are, and I am sensitive to that. The Commerce Clause is 
sometimes over-used and over-interpreted by the Federal Govern- 
ment. 

But this is one of those times when I try to envision the Found- 
ing Fathers sitting down and writing those Article I conventions: 
What are the powers of the Congress? The regulation of interstate 
commerce, the trade between the Indian tribes — well, okay, they 
were 100 years before the telegraph, 150 years before the tele- 
phone, 250 years before the internet, but they were probably think- 
ing of e-commerce when they wrote the Commerce Clause into the 
Constitution because e-commerce, by definition, needs to flow 
seamlessly across the borders of those States, and the Commerce 
Clause was absolutely necessary for e-commerce to exist. We want 
to be sensitive to that. 

To the extent that a National standard is set. States do need to 
have a big say in what that floor is that is going to be established, 
and the State attorneys general. The provision that passed through 
the committee, the full committee, was that the Federal Trade 
Commission would use existing enforcement authority. We did not 
want to create a new enforcement authority because we already 
have enough Federal agencies. But the Federal Trade Commission, 
using its existing authority on deceptive and unfair trade practices, 
would exercise that authority. But the attorneys general of the sev- 
eral States would be able to bring their own cases under those FTC 
provisions if the FTC was not moving fast enough, which will occur 
from time to time. 

That bill has passed through the subcommittee. It is awaiting 
floor activity. 

I wake up every morning kind-of living in fear of, when is the 
next shoe going to drop on this? You hear about a big company. 
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and they have been hacked, and they took all these records, and 
they are sitting somewhere, and nothing is really happening with 
that. When is the other shoe going to drop on all of those people 
who were exposed in that breach? 

The other thing that we really have just begun to scratch the 
surface of in our subcommittee, and I know Chairman Ratcliffe will 
work on it in his subcommittee, is it is terribly frightening to me 
as a physician to think about the denial-of-service activity that has 
been hitting some health care organizations. To think of having a 
fragile medical patient in the ICU, and you walk in in the morning 
and you say may I see the chart of the overnight vital signs of my 
patient, and they say I am sorry, sir, it has been encrypted, and 
we don’t have the key. I mean, what a dreadful situation to find 
oneself in. 

Mr. Wilson, I think you mentioned it in your testimony, about 
coming up with, how do you set the deterrence on some of these 
activities? 

Mr. Chairman, I would just say I think in the case of 
ransomware applied to a health care organization, the deterrence 
ought to be, “You will be shot at sunrise,” and perhaps that will 
do it, because this is a life-or-death situation with these patients 
where their medical records have been encrypted by a criminal. 

But again, very useful panel for me. We do an emergency pre- 
paredness summit in my district usually in April of every year. I 
will be doing one in a couple of weeks. We live here in an area 
where severe weather can happen in the month of April. It can 
happen any month, as we learned this year, but April is when we 
are most at risk for that. So I am very interested in some of the 
things I learned this morning about — you protect your systems. 
You conflate a denial-of-service activity with a Super Bowl, and 
that is a big deal. You know the criminal mind is just ever — things 
spring from it all the time, and you just can’t help but wonder 
what criminals might be thinking about. 

But let me just start with you, Mr. Davis, and your training. You 
mentioned you have some on-line instruction courses 

Mr. Davis. Yes, sir. 

Mr. Burgess [continuing]. That are available? 

Mr. Davis. Yes, sir. 

Mr. Burgess. Would you tell me just a little bit more about this? 
Can average citizens access those, or is that something that is per- 
haps reserved for the chiefs personnel in part of their professional 
training? 

Mr. Davis. The average citizen. Congressman, can access those, 
and it is good basic information. I will give a personal example, and 
I hope my wife doesn’t get to see this 

Mr. Burgess. It is just between us. 

Mr. Davis. Just between us boys here, right? Okay. 

I got an email from a friend that said, hey, be careful. This is 
a colleague at work, and I forwarded it to my wife. As I was for- 
warding it, she was calling me or texting me to tell me that, hey, 
I just got some information, re-verify my account number, my pass- 
word, my this, that, and the other. She was doing a couple, 3 
things. These shows that come on at 11 o’clock, these people, okay? 
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She had given them all her information. I said, my gosh, did you 
read the email I sent? She didn’t. 

So when we talk about those things, when we talk about the on- 
line courses, the general users, which talks about really those 
things you need to be aware of, okay? Even now, even I am more 
sensitized. Even when I get busy and I am looking at an email, if 
I don’t recognize somebody, I get more emails from auctioneers, go 
pick up your money at the bank, we need your account because we 
want to deposit something, and I go delete, delete, delete. 

So to answer your question, sir, they are available on-line at 
www.teex.org, and the average citizen can access those courses, and 
I recommend that they take them. 

Also, last, let me say there are 3 States right now, Arkansas, 
Louisiana, and Wyoming, and also a college, Fresno Pacific Univer- 
sity, where they are requiring their workers to take our on-line 
courses. 

Mr. Burgess. So part of my question, then, is do you provide 
some credential for the person who has satisfactorily completed 
the 

Mr. Davis. Yes, sir. They get a certificate for completing an on- 
line course, and I think more importantly than the certificate, they 
gain some knowledge that they can spread around geometrically 
about how to protect their own information. 

Mr. Burgess. Seems like it would be a useful thing for a home- 
owner’s insurance policy. You know, sometimes we will give a 
break to someone who takes a defensive driving course. 

Mr. Davis. Yes, sir. 

Mr. Burgess. On their automobile insurance. This might be one 
of those places where the insurance company might want to be 
proactive, and I am glad that you are providing the service. 

Mr. Davis. Yes, sir. 

Mr. Burgess. Is there a charge? 

Mr. Davis. There is no charge, sir, but I think you have just 
given us an idea to really reach out to insurance companies and 
say, hey, here is an idea here, because you are right, I have done 
that to get that discount. Dad doesn’t teach me to drive. I pay 
somebody 

Mr. Burgess. Very wise. 

Chief, let me just ask you, in your previous role when you were 
at the City of Fort Worth — of course, I don’t want to get parochial 
here. Forgive me. Chairman, but we have a Super Bowl twice a 
year in Fort Worth called the Texas Motor Speedway, and that will 
be happening this month. The Commander 500 I think is the name 
of the race. Do you have as many people come to the Texas Motor 
Speedway as come to a Super Bowl? 

Mr. Greif. Yes. 

Mr. Burgess. So even though the Super Bowl is unique, you 
have these large, widely-attended events that happen in the city of 
Fort Worth. I assume there has been kind of a learning curve with 
that, but it gets back to the question that Chairman Ratcliffe 
asked. How do you share that best practices information from man- 
aging those large, widely-attended events with other jurisdictions? 

Mr. Greif. I am certain it is still going on. I am actually glad 
I won’t have to be part of that planning committee. We used to 
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tease the Arlington folks about we do Super Bowls twice a year, as 
you alluded to. It starts months in advance, holding meetings. You 
hold these meetings so often, you start building personal relation- 
ships where you get to know Captain Webster from Texas Depart- 
ment of Public Safety. I met more people throughout the Denton 
region. 

We came together and started about 3 or 4 months in advance 
of each race, and you just literally shared as much information as 
possible across lines with one another. As I said, it is so important 
to prepare for a cyber attack and prevent it, and you have to have 
preparations, which I won’t go into details about, but what do you 
do when one actually occurs? You need to have back-up. 

Those types of meetings are a mini-fusion center when it really 
comes together and we sit there and spitball and come up with 
ways to mitigate. So it is just a series of meetings, sir. 

Mr. Burgess. Let me just ask you a question. We do have some 
students in the audience, and you referenced the UASI program. 
The former mayor of Mont Creek taught me a number of new 
words, and UASI was one of them. I thought it was a pejorative 
term when he first used it because when those initial grants came 
out, if I recall correctly, as the Department of Homeland Security 
was being organized, the UASI grants were administered region- 
ally. They were delivered to Dallas and expected to be shared with 
Fort Worth, and I just remember the mayor having some issues 
with that. 

But for the students here, could you kind-of go through what the 
UASI program is? 

Mr. Greif. Well, a Federal program that provides funding for fire 
and police in other jurisdictions as well, but obviously those are the 
ones I am most concerned about, and many things get funded out 
of that, like training opportunities. We can hold anything from haz- 
ardous materials classes, where that funding not only was paying 
for our personnel to go get the needed training, but it was paying 
for the backfield because you still had to have troops driving trucks 
to keep the city safe, to hardened equipment. It is amazing. 

Again, some of the stuff is somewhat — I won’t talk about nec- 
essarily some of the equipment that was purchased to protect the 
community, but a major expense in equipment was purchased for 
the protection of many different types of terroristic activities, and 
that equipment was in place in cities all across central Texas be- 
cause of UASI. 

Mr. Burgess. Chairman, I will yield back to you, and if possible 
I will do a second round as well. 

Mr. Ratcliffe. Perfect. I thank the gentleman. 

Detective Wilson, I want to take advantage of the fact that you 
are here on behalf of the Dallas Police Department, obviously one 
of the largest, most visible police departments in the United States. 
I am just curious if you can offer perspective on what the daily 
cyber threat looks like at the Dallas Police Department. 

You talked about in your testimony reliance on computer net- 
works for operational and for investigative functions, so I assume 
that you have to take that into account in terms of the daily 
threats that are coming into the Dallas Police Department, and 
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also take that into account in how you are training your personnel 
to deal with those threats. 

Mr. Wilson. Well, as you said, the Dallas Police Department is 
the ninth-largest police department in the country, the second larg- 
est in the State. So we act as a nexus for a lot of information shar- 
ing, as well as collection. Daily, we get notifications from agencies 
asking for information to support an investigation or some type of 
threat that they have uncovered, to give them the guidance or put 
them in the right direction, who is the expert who can go in and 
help them. 

Unfortunately, the Dallas center does not have a technical expert 
within the center that deals with cyhersecurity, but as part of the 
approach to dealing with a wide varieties of crimes that we deal 
with, we have a partnership with our Federal agencies, and we 
have an expert within the Dallas Police Department who actually 
works with a task force and the FBI. We also have a couple of offi- 
cers that deal with computers, and they have been doing it for 
years and years. We find that as they continue to perform these 
functions and people know the capabilities that we have, we are in- 
creasingly tasked with trying to assist other agencies. 

As a fusion center director, I see most of the emails that come 
into our center on a daily basis, so my email averages approxi- 
mately 200 to 300 per day coming in from Federal partners. State 
partners, local partners, and from other States as well, trying to 
reach out to you, to take advantage of the network. 

As we look forward to increasing our ability to address the cyber 
threats, we basically have 2 problems. One is stop the cyber threat 
in itself, and No. 2 is how do you pursue the cyber threat actor, 
the person who actually committed it, and to what extent do we go 
to prosecute? That definitely leans toward our Federal partners. 
That is their jurisdictional area. They have the resources and the 
expertise oftentimes that we do not have, and they are always look- 
ing to try to assist us in these types of situations. 

Mr. Ratcliffe. Terrific. Thank you. Lieutenant. 

Detective, I actually had a bunch of questions for you, but your 
testimony was so thorough that you pretty much covered it. I want- 
ed to ask you about your experience with the Electronic Crimes 
Task Force and, of course, the NCFI, National Computer Forensics 
Institute, which my bill would authorize into law. I really appre- 
ciated your testimony. You spoke eloquently of how it benefitted 
you with respect to your career, but also benefitted the folks that 
you serve as a detective in Greenville. I just think that, more than 
anything else, it is a great message, and I hope that as you go into 
retirement that you will still continue to be a great ambassador be- 
cause I think that is what you are, an ambassador for how State, 
local, and Federal partnerships, particularly as they pertain to Na- 
tional security issues and cyhersecurity as a National security 
issue, how they are supposed to work. 

We all know that 9/11 was a communication failure in many re- 
spects, and we have worked hard in trying to eliminate that, and 
with respect to the threats in cyber space and cyhersecurity, we 
want to avoid a cyber 9/11, if you will. So some of the programs 
that you have been a part of, some of the partnerships that you 
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have been a part of have prevented that up to this point in time 
and, I think, can in the future. 

So again, I just appreciate you being here today, your testimony, 
and what you stand for in that respect. 

I am just going to close with a question for anyone that wants 
to take it, or all of you that want to take it. We asked the question 
about what are the key challenges, and from your testimony many 
of you talked about the financial side of things and, obviously, fun- 
damentally the role that Congressman Burgess and I and others in 
Washington can play with respect to that and how that affects 
workforce issues. 

But are there authority issues out there that we can help you 
with in Washington? In other words, are there things from an au- 
thority perspective that we should be legislating on in this space 
that you think need to be addressed? Anyone. 

Mr. Wilson. I would say that the proper authority for inves- 
tigating cyber crimes is the way that you can get the most impact, 
obviously, achieve a conviction. I would love the Federal system to 
stay for the day instead of 1 day or 3 days. So oftentimes, when 
we can’t get the impact to take that offender off the streets in a 
time that we consider to be reasonable, we turn to our Federal 
partners. They have a much wider reach, a little bit bigger handle 
to hit them with it. They are most gracious and most times if they 
can do so, they will. They have expanded powers. I believe that 
through legislation you will find it will be even a stronger growing 
trend from a local perspective to turn around and say rather than 
a State trial, let them go and see what they can do to stop that 
behavior. That would be my perspective. 

Mr. Waddle. I kind-of go along the same lines. We see so many 
repeat offenders that go off and that use our State prison systems 
as education. I think that we have to be stiffer in our punishments 
with these offenders because of the amount of damage they do 
monetarily and even physically. So maybe some stiffer enforce- 
ment. 

Mr. Ratcliffe. Thank you. 

I again recognize my colleague for any additional questions he 
may have. 

Mr. Burgess. Thank you. Chairman. 

Detective, you did an excellent job of detailing how you had re- 
ceived the training and being able to provide protection for the peo- 
ple of your jurisdiction. We live under the tyranny of the Congres- 
sional Budget Office where we work, and everything is looked at 
as a cost. But as I listened to you provide your testimony, it also 
occurred to me that there was value brought back to your depart- 
ment, to Greenville, value back to the community, and sometimes 
it is very difficult to dissect out. When we look at something on a 
sheet of paper, on a spreadsheet, it is just a cost, and we deal with 
this in health care all the time, and it drives me nuts. But there 
is really no way to offset the cost with the value that you brought 
back to your community. 

Just as we conclude the hearing today, if there are thoughts that 
you have on that that you would like to share with us about how 
to better tease out that value figure, whether there is a fraction or 
a multiplier that could be applied. Perhaps in your experience you 
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have encountered either some examples or even a formulaic ap- 
proach, this much was invested in the activity that I undertook, 
but this much was delivered back to the community. 

Mr. Waddle. The one thing that I failed to mention in my testi- 
mony was that not only do I cover Greenville, but I also assist the 
local agencies in Hunt County. Privately in our office I did that, 
but also at the Electronic Crimes Task Force, we covered most of 
North Texas. So we assisted agencies from Denton, from Steuben- 
ville, from Tyler, Lindale, that area, all the way out to Texarkana. 
So the training that I received has been able to help me help those 
people. 

There is a cost, and I understand that. Again, I don’t question 
that. We had the same problem in the city, the city manager say- 
ing, well, you don’t need to spend that. I understand that. But 
when we can benefit, and in my case, with the experience that I 
have, when we can benefit our own citizens and those around us, 
and they know that they have somebody that they can contact to 
get answers, I think that the money spent is spent well because it 
benefits so many people in getting answers to their questions and 
assistance in their investigations. 

Mr. Burgess. Intangible, difficult to calculate for a return on in- 
vestment, but it definitely exists, doesn’t it? 

Mr. Waddle. Exactly. 

Mr. Burgess. Thank you, Mr. Chairman. I will yield back. 

Mr. Ratcliffe. I thank the gentleman. 

I thank all the witnesses that have been here today for your val- 
uable testimony. 

Again, I thank Congressman Burgess for being here and bringing 
his insights into this important topic. 

Other Members of this committee that aren’t here today may 
have some additional questions for our witnesses. So if that hap- 
pens, we will ask you to respond to those in writing. 

Pursuant to Committee Rule 7(e), the hearing record from today 
will be held open for 10 days for Member statements and for follow- 
up questions. 

In closing, let me just again say thank you to everyone that is 
here today, that has participated in putting this together, and 
thanks to everyone in Grayson County for letting me bring the 
Washington road show here to my home district. 

With that, without objection, this subcommittee stands ad- 
journed. 

[Whereupon, at 12:22 p.m., the subcommittee was adjourned.] 
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Questions From Chairman John Ratcliffe for Alphonse Davis 

Question 1. Are State and local governments ever the target of nation states, 
hacktivists, or criminals and are they aware of and taking advantage of the protec- 
tions that DHS offers through its Enhanced Cybersecurity Services program? 

Answer. State and local governments are targets currently under attack with 
unstructured, structured, and highly-structured attacks. These attacks range from 
the unstructured “script kiddies” looking for low-hanging fruit to the less-frequent, 
highly-structured attack from nation states looking to gather information. We are 
also aware of motivated actors from foreign organized crime organizations utilizing 
ransomware in our country, even at the local Government level — a trend that seems 
to be growing. 

Our experiences and relationships across the country indicate that the DHS-sup- 
ported NIST Cybersecurity Framework is gaining recognition and respect within 
local and State communities, as well as with small, medium, and large businesses. 
However, widespread awareness and adoption of the DHS Enhanced Cybersecurity 
Services (ECS) is in the very early stages. ECS needs more exposure in order to edu- 
cate local and State governments on its availability and capabilities, with additional 
information on how to request the services. 

Question 2a. How does TEEX decide what cyber-related training courses to offer? 
How are those courses evaluated? 

Answer. For the development or continuation of any cyber-related training 
courses, we conduct a needs analysis to examine gaps in operational knowledge and 
capabilities, gathering data from National surveys, utilizing publicly-available data 
on training needs (from reports such as the 2015 National Preparedness Report), 
and interviewing State and local contacts regarding their needs. As part of that 
needs analysis, we evaluate the scope and priority of the need, the audience, the 
method of training delivery, and the availability of duplicate or similar training. 

In some instances, the development of a new course is initiated by Federal part- 
ners. Most recently, the “Physical and Cyber Security for Critical Infrastructure” 
course was developed through a collaboration between DHS Cybersecurity and Com- 
munications and the DHS Office of Infrastructure Protection. They recognized the 
need for a better understanding of the interdependency between physical and cyber- 
security at the local level as well as the need for communities to collaboratively for- 
mulate enterprise risk management strategies, enhancing infrastructure security 
and resilience efforts. The DHS departments worked with TEEX to develop the 
course that meets that need. 

During the recent revision of a course on “Community Preparedness for Cyber In- 
cidents,” we examined the gap identified between Emergency Management and In- 
formation Technology. We conducted interviews with people in these disciplines to 
identify what they need to learn to be better-prepared for the ever-increasing and 
ever-evolving threat of a significant cyber incident. We are in constant communica- 
tion with State and local governments, and they often describe what they are seeing 
in their communities and ask how we can assist. 

Question 2b. Are they assessed or updated regularly, due to the changing cyber 
landscape? 

Answer. Our courses undergo a needs analysis and recertification every 3 years 
in order to remain relevant and current. In addition, our courses are continually 
evaluated through participant feedback to identify improvements and updates prior 
to a schedule update. 

Our program staff (instructors, curriculum developers, managers) dedicates a sig- 
nificant amount of time each week researching and learning about the latest trends 
and threats in the cybersecurity landscape. This information is used to update 
course content and for use as updated examples in course deliveries. We also keep 
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in close touch with our DHS partners and add information to our courses about new 
DHS resources and assistance available as we learn it. 

Questions From Chairman John Ratcliffe for Sam Greif 

Question la. How important is coordination across critical infrastructure sectors 
for encouraging cyber resilience? 

Question lb. How do these efforts impact public safety organizations and State 
and local entities? 

Answer. As you can imagine, it is vitally important that critical infrastructure 
sectors share information about potential threats. Local fire and emergency medical 
service departments need to be warned of potential cyber threats, so that they can 
take the appropriate protective action. For example, while there have been well-pub- 
licized stories in the media about hospitals having to deal with the effects of 
ransomware incidents, local fire departments also have had to deal with these prob- 
lems. In January, the city of Snoqualmie, Washington, paid a ransom of $750 to 
hackers that took control of a computer at the Duvall Fire District. 

I receive notices of possible threats from the local Plano police department, the 
council of governments, and the Homeland Security Information Network, among 
other resources. This information, and the lessons learned from cyber attacks, is key 
to preventing or mitigating these threats. It is important to recognize that the ease 
of implementing a cyber attack may encourage a lone-wolf terrorist or criminal, who 
otherwise would not want to risk personal injury in a kinetic assault on a fire or 
police station. So we may see an increase in these threats in the future. Again, 
thank you for the opportunity to participate in the discussion on this important 
topic. The threat of cybersecurity only continues to increase. The Nation’s fire and 
emergency service must be prepared for it. 

Questions From Chairman John Ratcliffe for Richard F. Wilson 

Question 1. Are State and local governments ever the target of nation states, 
hacktivists, or criminals and are they aware of and taking advantage of the protec- 
tions that DHS offers through its Enhanced Cybersecurity Services program? 

Answer. The city of Dallas has in the past, and with daily incidents, been sub- 
jected to, and been the subject of adversarial attacks by foreign powers, foreign 
extra-territorial actors. National and local hacktivists, criminals and unclassifiable 
agents. 

The city, in addition to local defensive capabilities, also utilizes the services and 
cyber-intelligence capabilities provided by Department of Homeland Security, DHS, 
and other National (private and public) capabilities. 

Question 2a. How important is coordination across critical infrastructure sectors 
for encouraging cyber resilience? 

Question 2b. How do these efforts impact public safety organizations and State 
and local entities? 

Answer. It is extremely important and a necessity to have a structured, systemic 
coordination, incident response collaboration, monitoring, quality capabilities and 
management between the SLTT and central government. 

The impacts these types of activities provide to public safety organizations, and 
State and local entities are more structured protective strategies, more pro-active 
incident alerting, and responses that leads to faster incident identification and man- 
agement. This in turn ensures that outcomes of these incidents are managed effec- 
tively and timely, thereby ensuring that the adverse potential outcomes of these in- 
cidents, do not overburden the local resources and capabilities. 

Questions From Chairman John Ratcliffe for Don Waddle 

Question 1. How was your work with the Electronic Crimes Task Force (ECTF) 
valuable to your career as a detective? 

Answer. In my police department, while working as a detective, I worked property 
crimes, which covers theft, criminal mischief, stolen cars, and fraud. Prior to being 
assigned to the North Texas Electronic Crimes Task Force, there was only a few 
ways for me to go at fraud. This would be what I read in books or by getting guid- 
ance form our prosecutors. After getting on the task force I learned more by being 
involved in investigations with other agencies and with helping Federal authorities 
with their investigations. I was able to share my knowledge with other members 
of law enforcement and was also able to build up my knowledge in investigating 
fraud. I was also able, because fraud oftentimes involves computers and cell phones, 
to learn about computer and cell phone forensics. By being assigned to the task force 
I learned more about the crimes I was investigating, and was able to use that 
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knowledge to prepare better cases for prosecution, and to bring answers to my vic- 
tims of crime. 

Question 2. How did your work with ECTF differ from or support your work as 
a detective in Greenville? 

Answer. I do not believe my work with the task force differed from my work as 
a detective in Greenville. My job is to investigate crime and I did that in both 
places. I built a strong network of other investigators that could help me if I had 
a question, or I could help if they had a question. When I think of supporting my 
work as a detective in Greenville, I would probably never have been able to conduct 
the investigations I conducted without the equipment and training I received as a 
task force member. One case in particular was a defendant who stated he talked 
to another person very infrequently, but when I examined both phones I was able 
to determine that they had numerous conversations all the time. This was done 
using equipment and training I received while assigned to the task force. I also had 
Federal partners that could come in and help me with my investigations, and if 
need be, could assist me in preparing for a Federal prosecution of the case. 

I hope that my answers to your questions provide enough information for you to 
make important decisions related to Cyhersecurity, Infrastructure Protection, and 
Security Technologies. 

I want to stress that I am extremely grateful for having been on the North Texas 
Electronic Crimes Task Force and the training and equipment that I received. The 
city of Greenville and all of Hunt County, Texas, benefitted from my association 
with the Electronic Crimes Task Force. 
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